EP3591893A1 - Method and system for providing security in trusted execution environments - Google Patents

Method and system for providing security in trusted execution environments Download PDF

Info

Publication number
EP3591893A1
EP3591893A1 EP19183659.2A EP19183659A EP3591893A1 EP 3591893 A1 EP3591893 A1 EP 3591893A1 EP 19183659 A EP19183659 A EP 19183659A EP 3591893 A1 EP3591893 A1 EP 3591893A1
Authority
EP
European Patent Office
Prior art keywords
application
replicas
input
master application
master
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
EP19183659.2A
Other languages
German (de)
French (fr)
Other versions
EP3591893B1 (en
Inventor
Ghassan KARAME
Claudio Soriente
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Laboratories Europe GmbH
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Laboratories Europe GmbH filed Critical NEC Laboratories Europe GmbH
Publication of EP3591893A1 publication Critical patent/EP3591893A1/en
Application granted granted Critical
Publication of EP3591893B1 publication Critical patent/EP3591893B1/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3234Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3255Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using group based signatures, e.g. ring or threshold signatures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/12Protecting executable software
    • G06F21/121Restricting unauthorised execution of programs
    • G06F21/123Restricting unauthorised execution of programs by using dedicated hardware, e.g. dongles, smart cards, cryptographic processors, global positioning systems [GPS] devices
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage
    • H04L9/0897Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage involving additional devices, e.g. trusted platform module [TPM], smartcard or USB
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • the present invention relates to a method and system for providing security in trusted execution environments.
  • Trusted Execution Environments e.g., Intel SGX
  • TEEs Trusted Execution Environments
  • Secret material e.g., cryptographic keys for a given piece of code
  • secure mechanisms e.g., sealing and encrypted memory.
  • application secret keys can be sealed (i.e., encrypted) at rest with keys only available to the platform hardware.
  • the application secret keys are unsealed and made available to the application.
  • Encrypted memory ensures that such keys are only available in clear text within the processor and that they are encrypted when written to memory.
  • Keys in TEE applications may be used to for different security provisions. For example, a key may be used to sign the output of the application so that external entities can verify the authenticity of the output, i.e., that the output was produced by that specific TEE application. Alternatively, an encryption key may be used to encrypt the output so that it is only available to the intended recipient that holds the corresponding decryption key. Similarly, a key may be used by a TEE application either to decrypt incoming data or to verify its authenticity.
  • TEEs including Intel SGX
  • Ahmad Moghimi et al. “CacheZoom: How ⁇ SGX ⁇ Amplifies the Power of Cache Attacks”
  • CHES 2017 the entire contents of which are hereby incorporated by reference herein
  • Marcus Hähnel et al. "High-Resolution Side Channels for Untrusted Operating Systems”
  • Usenix ATC 2017 (“Hähnel”) (the entire contents of which are hereby incorporated by reference herein).
  • Spectre an attack that leverages speculative execution of processors known as Spectre (see e.g., Paul Kocher et al., "Spectre Attacks: Exploiting Speculative
  • a method secures a system that includes an application owner, a master application, and a plurality secure platforms.
  • the master application receives from the application owner an application and an input.
  • the application is configured to compute a function to calculate an output from the input.
  • the master application deploys replicas of the application on a number of the secure platforms.
  • the master application establishes a secure channel with each of the replicas, and sends at least a portion of the input to the replicas.
  • the master application receives a result calculated by each of the replicas. The result is determined according to the function and the at least the portion of input.
  • the master application determines the output based on the result received from each of the replicas; and sends the output to the application owner.
  • the present invention provides systems and methods that mitigate consequences of side-channel attacks in trusted execution environments (TEEs).
  • TEEs trusted execution environments
  • Embodiments of the present invention solve, for example, the problem of leakage of secret material from TEEs, such as Intel SGX, via side-channels.
  • TEEs are susceptible to side-channel attacks that may leak secret material, e.g., private keys of an application running in a TEE. Leakage of the private key invalidates any security provisions that relies on the secrecy of such key.
  • Embodiments of the present invention provide an improvement over the state of the art by introducing techniques to create side-channel tolerant TEEs. For example, embodiments of the present invention overcome weaknesses of TEE applications related to side-channels by implementing mechanisms that provide desirable security provisions while tolerating side-channels.
  • a fundamental precondition of a successful side-channel attack is that the attacker co-locates with the victim, i.e., the victim application and the attacker's code run on the same platform.
  • Embodiments of the invention leverage replication and distribution of TEE applications on different platforms to mitigate the effectiveness of side-channel attacks.
  • An adversary may still co-locate with some of the platforms where replicas of the victim application are running. The adversary may, therefore, leak the secrets of those application replicas by means of side-channel attacks. Yet, the adversary will not be able to invalidate the security provisions guaranteed by the secret keys of the application replicas, unless the adversary co-locates with all of the application replicas.
  • Embodiment of the present invention leverage seamless application replication in conjunction with cryptographic mechanisms to make the TEE applications robust to side-channels attack.
  • the application owner provides the code of the TEE application to a master application.
  • the master application is a specialized TEE application that takes care of replicating the TEE application over several platforms and of coordinating the cryptographic protocols required.
  • An aspect of embodiments of the present invention is that, by using replication and threshold signature schemes, the consequences of a side-channel attack to TEE applications that require authenticated output data are mitigated.
  • Another aspect of embodiments of the present invention is that, by using replication and multi-party computation, the consequence of a side-channel attack to TEE applications that require confidential input and output data are mitigated.
  • the master application checks that each application replica has returned the same value y .
  • the master application then aggregates all partial signatures and forwards y and the aggregated signature to the application owner.
  • the latter application owner may verify authenticity of y by verifying the aggregated signature using the verification key received by the master application.
  • the adversary must launch a successful side-channel attack on at least t platforms to be able to sign arbitrary data on behalf of the application.
  • a master application creates n replicas of the TEE application and distributes each replica on a different platform.
  • the master application distributes encryption/decryption keys to the replicas in order to establish point-to-point confidential channels between any pair of replicas and between each replica and the master application.
  • the master application may also create a confidential channel with the application owner by means of a shared key. Given the owner supplied input x, the master application computes random additive shares of x and distributes each share to each of the application replicas.
  • y f ( x ) .
  • Each application replica sends the random additive share of y to the master application.
  • the master application recovers y by summing the additive shares and forwards the result to the application owner.
  • An embodiment of the present invention provides a method that secures a system that includes an application owner, a master application, and a plurality secure platforms.
  • the master application receives from the application owner an application and an input.
  • the application computes a function to calculate an output from the input.
  • the master application deploys replicas of the application on a number of the secure platforms.
  • the master application establishes a secure channel with each of the replicas, and sends at least a portion of the input to the replicas.
  • the master application receives a result calculated by each of the replicas. The result is determined according to the function and the at least the portion of input.
  • the master application determines the output based on the result received from each of the replicas; and sends the output to the application owner.
  • the method may further include: instantiating, by the master application a threshold signature signing scheme.
  • the instantiating may include: distributing, by the master application, a respective share of a signing key of the threshold signature signing scheme to each of the replicas; and sending, by the master application, a verification key of the threshold signature signing scheme to the application owner; and receiving, by the master application from each of the replicas, a respective partial signature of the result calculated by the respective one of the replicas, the respective partial signature being based on the respective share of the signing key.
  • the master application may send the entire input to each of the replicas.
  • the respective result received by the master application for each of the replicas may correspond to the output of the function applied to the input,
  • the method may further include: generating, by the master application, a reconstructed signature based on the respective partial signature received from each of the replicas; and outputting, by the master application, the reconstructed signature to the application owner.
  • the reconstructed signature may be configured to be verified by the verification key.
  • the respective result received by the master application for each of the replicas may be signed with the respective partial signature, and the output may be configured to be verified using the reconstructed signature and the verification key.
  • the master application and the secure platforms are instantiated in trusted execution environment enclaves.
  • the method may further include receiving, by the master application, a replication parameter.
  • the number of replicas and the number of security platforms may each correspond to the replication parameter.
  • the number of secure platforms is at least two.
  • the method further includes: respectively selecting, by the master application, a key for each pair of the replicas, and respectively sending, by the master application, the respective key to each pair of the replicas.
  • the respective key may be configured to enable a secure channel between the respective pair of the replicas.
  • the key is a random key.
  • the method may further include: splitting, by the master application, the input into shares of the input.
  • the at least a portion of the input respectively sent to each of the respective replicas may corresponds to one of the shares of the input.
  • the respective result calculated by each of the replicas may be a partial result that is determined according to the function applied to the respective one of the shares of the input.
  • the output may be determined by aggregating the partial result respectively received from each of the replicas.
  • he function is linear and the respective partial result received is calculated individually the respective one of the replicas.
  • the function is non-linear and the respective partial result received is calculated based on a secure multi party protocol between the replicas.
  • Another embodiment of the present invention provides a secure platform having a processor coupled to a non-transitory storage memory containing instructions, which when executed by the processor, cause the secure platform to instantiate a master application in a secure enclave, the master application configured to perform the following operations: receive an application and an input, the application configured to compute a function to calculate an output from the input when executed; deploy a plurality of replicas of the application on a number of secure platforms; establish a secure channel with each of the replicas; send at least a portion of the input to the replicas; receive a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input; determine the output based on the result received from each of the replicas; and send to an application owner, the output.
  • the master application can be configured to utilize either a replication and threshold signature scheme or a replication and multi-party computation scheme to protect against side-channel attacks.
  • Another embodiment of the present invention provides a non-transitory computer-readable storage medium storing instructions that upon execution cause a master application, instantiated in a secure enclave, to perform the following operations: receive an application and an input, the application configured to compute a function to calculate an output from the input when executed; deploy a plurality of replicas of the application on a number of secure platforms; establish a secure channel with each of the replicas; send at least a portion of the input to the replicas; receive a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input; determine the output based on the result received from each of the replicas; and send to an application owner, the output.
  • An embodiment of the invention is based on the threshold version of the BLS signature scheme. More information on the BLS signature scheme can be found in: Dan Boneh et al., "Short Signatures from the Weil Pairing," ASIACRYPT 2001 , the entirety of which is incorporated by reference herein.
  • G be a Gap-Diffie-Hellman group-i.e., a group of prime order p with generator g and pairing operation e:GxG ⁇ G T .
  • H be a hash function that maps strings of arbitrary length to elements of G.
  • the BLS signature scheme is a triplet of algorithms KeyGen, Sign, Verify, defined as follows:
  • Threshold BLS signatures are described in Alexandra Boldyreva, “Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme," Public Key Cryptography 2003 (“Boldyreva”), the entire contents of which are incorporated by reference herein.
  • Threshold BLS signatures given a BLS signature scheme ( KeyGen, Sign, Verify ) the threshold version has an additional triplet of algorithms: Share, Share-Sign, Reconstruct, defined as follows:
  • the dealer then computes n key-shares by calling Share on sk.
  • Each key-share is given to a different signer.
  • Each signer computes a signature-share on a message m by calling Share-Sign with input its key-share.
  • any party Given at least t signature-shares on a message m, any party can reconstruct a valid signature ⁇ on message m by calling Reconstruct.
  • the signature output by Reconstruct can be verified with vk by calling Verify.
  • the security provisions of the threshold signature scheme guarantee that no coalition of up to t -1 holders of key-shares can produce a valid signature on arbitrary message m .
  • FIG. 1 illustrates an embodiment of a system for providing security in a TEE according to the present invention.
  • a system 100 may include an application owner 110 in communication with a master application 120, which in turn is in communication with at least one compute device 130 hosting at least one platform P.
  • the application owner 110 and master application 120 may also be hosted on compute devices (e.g., personal computers, servers, IoT devices, mobile phones, etc.).
  • the application owner 110 provides the master application 120 with a TEE application code A, an input x, and a replication parameter n.
  • the master application 120 deploys the application A on the platform P i . This is done by sending a replica of the application A to the platform P i .
  • the platform P i installs the application A in a local enclave 140 of the compute device 130 hosting the platform P i .
  • the local enclave 140 may be secure enclave such as provided by Intel SGX.
  • a i denotes the replica of the application A that runs in an enclave 140 on the platform P i .
  • n 3; thus the master application 120 deploys three replicas A 1 - A 3 of the application A individually in the three platforms P 1 - P 3 .
  • n is at least two, such that at least two enclaves are used to ensure security against leakage.
  • the master application 120 also verifies that a replica A i of the application A is running in an enclave 140 on each platform P i by means of the remote attestation service.
  • the remote attestation service For example, an embodiment can use the remote attestation service of Intel SGX.
  • Remote attestation also allows the master application 120 and the replica A i of the application A to establish a confidential channel by means of a shared key. Any further communication between the master application 120 and any replica A i of the application A happens over the corresponding confidential channel.
  • the master application 120 sets up a threshold signature scheme TS (see e.g., Boldyreva discussing threshold signature schemes) and runs TS.KeyGen to obtain a signing key sk and its corresponding verification key vk.
  • the master application 120 calls TS.Share on the signing key sk to generate key-shares sk 1 ,...sk n , and provides each replica A i with a corresponding key-share sk i (1 ⁇ i ⁇ n ).
  • the verification key vk is provided to the application owner 100 by the master application 120.
  • the master application 120 forwards x to each application replica A i .
  • the master application 120 collects ( y, ⁇ i ,..., ⁇ n ), computes a reconstructed signature ⁇ by calling TS.Reconstruct on the partial signatures ⁇ i ,..., ⁇ n , and forwards ( y, ⁇ ) to the application owner 110 who may verify authenticity of the reconstructed signature ⁇ by using the verification key vk.
  • FIG. 2 illustrates a method 200 for providing security in trusted execution environments according to an embodiment of the present invention.
  • the method 200 secures a trusted execution environment from, inter alia, a side channel attack.
  • the method 200 may be operated in a system (such as system 100) that includes at least one application owner (such as application owner 110) at least one master application (such as master application 120), and a plurality of trusted execution environment enabled platforms (such as platform P i ).
  • a system such as system 100
  • the master application may run on an additional TEE platform (i.e., a master trusted execution environment platform), such as an SGX-enabled platform.
  • the master application receives an application binary A and an input x from the application owner (S201).
  • the application binary A computes a function f to calculate and output y from the input x.
  • the master application deploys n replicas of application binary A over n different secure platforms (S202).
  • the secure platforms include trusted execution environment enclaves; for example, the secure platforms may be SGX-enabled platforms.
  • the master application attests each replica and establishes a secure channel with each replica of the application binary A (S203).
  • the master application instantiates a threshold signature scheme and distributes shares of the signing scheme to the replicas (S204).
  • the master application provides the verification key of the threshold signature scheme to the application owner (S205).
  • the master application sends the input x to each of the replicas (S206).
  • the master application receives each replica's output y and each replica's partial signature (S208).
  • the master application aggregates the partial signature into a standard signature (S209).
  • the master application sends the output y and the standard signature to the application owner (S210).
  • the application owner checks authenticity of the output y by verifying the standard signature using the verification key (S211).
  • the application owner 310 provides the master application 320 with a TEE application code A, an input x, and a replication parameter n.
  • the master application 320 deploys the application A on the platform P i . This is done by sending a replica of the application A to the platform P i .
  • the platform P i installs the application A in a local enclave 340 of the compute device 330 hosting the platform P i .
  • a i denotes the replica of the application A that runs in an enclave 340 on the platform P i .
  • the master application 320 verifies that the replica A i of the application A is running in an enclave 340 on the platform P i by means of a remote attestation service.
  • a remote attestation service provided by Intel SGX.
  • Remote attestation also allows the master application 320 and the replica application A i to establish a confidential channel by means of a shared key sk. Any further communication between the master application 320 and any application replica A i happens over the corresponding confidential channel.
  • the master application 320 picks at random a key K ij and distributes it to A i and A j . Any further communication between A i and A j happens over the confidential channel established by means of K ij .
  • each pair of application replicas A i , A j (1 ⁇ i, j ⁇ n ) may attest each-other by means of the remote attestation service, e.g., the remote attestation service of Intel SGX, in order to establish a confidential channel by means of a shared key. Any further communication between A i and A j happens over the confidential channel established.
  • the remote attestation service e.g., the remote attestation service of Intel SGX
  • the master application may be considered a trusted entity to act on behalf of the owner.
  • f non-linear
  • the SPDZ framework can be used (see e.g., Hähnel discussing SPDZ).
  • all such triplets can be defined, shared, and distributed by the master application 320 to the application replicas A i . That is, given a random triplet a,b,c, the master application 320 computes n (linear) shares of a as a 1 ,...,a n and sends a i to A i .
  • FIG. 4 illustrates a method 400 for providing security in trusted execution environments according to an embodiment of the present invention.
  • the method 400 secures a trusted execution environment from, inter alia, a side channel attack.
  • the method 400 may be operated in a system (such as system 300) that includes at least one application owner (such as application owner 310) at least one master application (such as master application 320), and a plurality of trusted execution environment enabled platforms (such as platforms P i ).
  • a system such as system 300
  • the master application may run on an additional SGX-enabled platform.
  • the master application receives an application binary A and an input x from the application owner (S401).
  • the application binary A computes a function f to calculate and output y from the input x.
  • the function f may be linear or non-linear.
  • the master application deploys n replicas of application binary A over n different secure platforms (S402).
  • the secure platforms include trusted execution environment enclaves; for example, the secure platforms may be SGX-enabled platforms.
  • the master application attests each replica and establishes a secure channel with each replica of the application binary A (S403).
  • Each pair of replicas establishes a secure connection between them (S404).
  • the master application distributes a random key to each pair of replicas for establishing the secure channel (S404a).
  • each pair of replicas performs remote attestation to form the secure channel (S404b).
  • the master application splits the input x into n additive random shares, and sends a share to each of the replicas (S405).
  • Each replica computes its share of the output (S406).
  • each replica computes its share of the output separately (S406a).
  • all replicas engage in a secure multi-party computation protocol to compute their output shares (S406b). Once the output shares are computed, the output shares are sent to and received by the master application (S407).
  • the master application aggregates the output shares to compute the output (S408).
  • the master application sends the output to the application owner (S409).
  • FIG. 5 is a block diagram of a processing system according to one embodiment for providing a secure trusted execution environment.
  • the processing system can be used to implement the system and method described above.
  • each of the platforms, the application owner, and master application may be implemented on a processing system such as shown in FIG. 5 .
  • Each processing system includes at least one processor 704, such as a central processing unit (CPU) of the computing device or a dedicated special-purpose processor, executes computer executable instructions comprising embodiments of the system for performing the functions and methods described above.
  • the computer executable instructions are stored (e.g., locally stored) and accessed from a non-transitory computer readable medium, such as storage 710, which may be a hard drive or flash drive.
  • Read Only Memory (ROM) 706 includes computer executable instructions for initializing the processor 704, while the random-access memory (RAM) 708 is the main memory for loading and processing instructions executed by the processor 704.
  • the network interface 712 may connect to a wired network or cellular network and to a local area network or wide area network, such as the Internet.
  • the recitation of "at least one of A, B and C” should be interpreted as one or more of a group of elements consisting of A, B and C, and should not be interpreted as requiring at least one of each of the listed elements A, B and C, regardless of whether A, B and C are related as categories or otherwise.
  • the recitation of "A, B and/or C" or "at least one of A, B or C” should be interpreted as including any singular entity from the listed elements, e.g., A, any subset from the listed elements, e.g., A and B, or the entire list of elements A, B and C.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Technology Law (AREA)
  • Multimedia (AREA)
  • Computing Systems (AREA)
  • Remote Sensing (AREA)
  • Radar, Positioning & Navigation (AREA)
  • Storage Device Security (AREA)

Abstract

A method secures a system that includes an application owner, a master application, and a plurality secure platforms. The master application receives from the application owner an application and an input. The application computes a function to calculate an output from the input. The master application deploys replicas of the application on a number of the secure platforms. The master application establishes a secure channel with each of the replicas, and sends at least a portion of the input to the replicas. The master application receives a result calculated by each of the replicas. The result is determined according to the function and the at least the portion of input. The master application determines the output based on the result received from each of the replicas; and sends to the application owner, the output.

Description

    FIELD
  • The present invention relates to a method and system for providing security in trusted execution environments.
    • BACKGROUND
  • Trusted Execution Environments (TEEs), e.g., Intel SGX, allow for running applications in isolation from other software on the same host. Secret material, e.g., cryptographic keys for a given piece of code, are protected by the platform hardware and managed by secure mechanisms, e.g., sealing and encrypted memory. For example, application secret keys can be sealed (i.e., encrypted) at rest with keys only available to the platform hardware. At runtime, the application secret keys are unsealed and made available to the application. Encrypted memory ensures that such keys are only available in clear text within the processor and that they are encrypted when written to memory.
  • Keys in TEE applications may be used to for different security provisions. For example, a key may be used to sign the output of the application so that external entities can verify the authenticity of the output, i.e., that the output was produced by that specific TEE application. Alternatively, an encryption key may be used to encrypt the output so that it is only available to the intended recipient that holds the corresponding decryption key. Similarly, a key may be used by a TEE application either to decrypt incoming data or to verify its authenticity.
  • TEEs, including Intel SGX, are vulnerable to side-channel attacks. See, e.g., Ahmad Moghimi et al., "CacheZoom: How {SGX} Amplifies the Power of Cache Attacks," CHES 2017 (the entire contents of which are hereby incorporated by reference herein); Marcus Hähnel et al., "High-Resolution Side Channels for Untrusted Operating Systems," Usenix ATC 2017 ("Hähnel") (the entire contents of which are hereby incorporated by reference herein). Recently, an attack that leverages speculative execution of processors known as Spectre (see e.g., Paul Kocher et al., "Spectre Attacks: Exploiting Speculative
  • Execution," CoRR abs/1801.01203 2018 (the entire contents of which are hereby incorporated by reference herein)) was successfully adapted to Intel SGX to leak secrets of a victim TEE application (Guoxing Chen et al., "SgxPectre Attacks: Stealing Intel Secrets from SGX Enclaves via Speculative Execution," CoRR/abs/1802.09085, 2018 (the entire contents of which are hereby incorporated by reference herein)). Once the key has been leaked, any security provisions that relies on the secrecy of that key is invalidated. For example, if the key is used to sign the application output, the adversary may use the leaked key to sign arbitrary data on behalf of the application.
  • Patches and architectural changes are periodically issued to mitigate side-channels attacks. However, side-channels are an inherent aspect of platforms where multiple distrusting applications run, and a TEE architecture immune to side-channels is unlikely to appear on the market.
    • SUMMARY
  • In an embodiment, a method secures a system that includes an application owner, a master application, and a plurality secure platforms. The master application receives from the application owner an application and an input. The application is configured to compute a function to calculate an output from the input. The master application deploys replicas of the application on a number of the secure platforms. The master application establishes a secure channel with each of the replicas, and sends at least a portion of the input to the replicas. The master application receives a result calculated by each of the replicas. The result is determined according to the function and the at least the portion of input. The master application determines the output based on the result received from each of the replicas; and sends the output to the application owner.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present invention will be described in even greater detail below based on the exemplary figures. The invention is not limited to the exemplary embodiments. All features described and/or illustrated herein can be used alone or combined in different combinations in embodiments of the invention. The features and advantages of various embodiments of the present invention will become apparent by reading the following detailed description with reference to the attached drawings which illustrate the following:
    • FIG. 1 illustrates a system implementing an embodiment of the present invention;
    • FIG. 2 illustrates a method according to an embodiment of the present invention;
    • FIG. 3 illustrates another system implementing an embodiment of the present invention;
    • FIG. 4 illustrates another method according to an embodiment of the present invention; and
    • FIG. 5 is a block diagram of a processing system according to one embodiment of the present invention.
    DETAILED DESCRIPTION
  • The present invention provides systems and methods that mitigate consequences of side-channel attacks in trusted execution environments (TEEs). Embodiments of the present invention solve, for example, the problem of leakage of secret material from TEEs, such as Intel SGX, via side-channels.
  • TEEs are susceptible to side-channel attacks that may leak secret material, e.g., private keys of an application running in a TEE. Leakage of the private key invalidates any security provisions that relies on the secrecy of such key. Despite a number of patches and architectural improvements aimed at countering side-channel attacks thus far available, it is unlikely that a traditional TEE immune to side-channels will be feasible in the near future. Embodiments of the present invention, however, provide an improvement over the state of the art by introducing techniques to create side-channel tolerant TEEs. For example, embodiments of the present invention overcome weaknesses of TEE applications related to side-channels by implementing mechanisms that provide desirable security provisions while tolerating side-channels.
  • A fundamental precondition of a successful side-channel attack is that the attacker co-locates with the victim, i.e., the victim application and the attacker's code run on the same platform. Embodiments of the invention, however, leverage replication and distribution of TEE applications on different platforms to mitigate the effectiveness of side-channel attacks. An adversary may still co-locate with some of the platforms where replicas of the victim application are running. The adversary may, therefore, leak the secrets of those application replicas by means of side-channel attacks. Yet, the adversary will not be able to invalidate the security provisions guaranteed by the secret keys of the application replicas, unless the adversary co-locates with all of the application replicas.
  • Embodiments of the current invention are discussed below in connection with a scenario where an application owner deploys a TEE application to compute a function f over owner-supplied inputs. That is, the TEE application computes and outputs y = f(x) where x is the input supplied by the application owner.
  • Embodiment of the present invention leverage seamless application replication in conjunction with cryptographic mechanisms to make the TEE applications robust to side-channels attack. In example embodiments, the application owner provides the code of the TEE application to a master application. The master application is a specialized TEE application that takes care of replicating the TEE application over several platforms and of coordinating the cryptographic protocols required.
  • An aspect of embodiments of the present invention is that, by using replication and threshold signature schemes, the consequences of a side-channel attack to TEE applications that require authenticated output data are mitigated.
  • Another aspect of embodiments of the present invention is that, by using replication and multi-party computation, the consequence of a side-channel attack to TEE applications that require confidential input and output data are mitigated.
  • For the present discussion, consider the scenario where the application owner requires the TEE application output to be authenticated by means of a signature scheme. In an embodiment of the present invention, the master application creates n replicas of the TEE application and distributes each replica on a different platform (e.g., a TEE enclave of a different platform). Further, the master application instantiates a t-out-of-n threshold signature scheme and provides each application replica with a share of the signing key. The corresponding verification key is supplied to the application owner. Each application replica receives the owner supplied input x, computes y = f(x), and uses its share of the signing key to compute a partial signature on y. Each application replica sends y and the partial signature to the master application. The master application checks that each application replica has returned the same value y. The master application then aggregates all partial signatures and forwards y and the aggregated signature to the application owner. The latter application owner may verify authenticity of y by verifying the aggregated signature using the verification key received by the master application.
  • As such, the adversary must launch a successful side-channel attack on at least t platforms to be able to sign arbitrary data on behalf of the application. In deployments, the threshold t of the signature scheme may be set to the number of platforms available (i.e., t = n), so that the adversary must launch a successful side-channel attack on all of the platforms in order to sign data on behalf of the TEE application.
  • In another embodiment, consider a scenario where the application owner requires input/output confidentiality by means of an encryption/decryption key. Here, a master application creates n replicas of the TEE application and distributes each replica on a different platform. The master application distributes encryption/decryption keys to the replicas in order to establish point-to-point confidential channels between any pair of replicas and between each replica and the master application. The master application may also create a confidential channel with the application owner by means of a shared key. Given the owner supplied input x, the master application computes random additive shares of x and distributes each share to each of the application replicas. The n replicas engage in a secure multi-party computation protocol so that each replica computes a random additive share of y = f(x). See Ivan Damgård et al., Multiparty Computation from Somewhat Homomorphic Encryption, CRYPTO 2012 (discussing multi-party computation, the entire contents of which are hereby incorporated by reference herein). Each application replica sends the random additive share of y to the master application. The master application recovers y by summing the additive shares and forwards the result to the application owner.
  • Since each application instance receives a random share of the input x, an adversary that successfully compromises the secret keys of up to n-1 replicas, does not learn any information on x. Further, because of the security provisions of secure multi-party computation, an adversary that compromises the secret keys of up to n-1 replicas learns nothing about y.
  • An embodiment of the present invention provides a method that secures a system that includes an application owner, a master application, and a plurality secure platforms. The master application receives from the application owner an application and an input. The application computes a function to calculate an output from the input. The master application deploys replicas of the application on a number of the secure platforms. The master application establishes a secure channel with each of the replicas, and sends at least a portion of the input to the replicas. The master application receives a result calculated by each of the replicas. The result is determined according to the function and the at least the portion of input. The master application determines the output based on the result received from each of the replicas; and sends the output to the application owner.
  • The method may further include: instantiating, by the master application a threshold signature signing scheme. The instantiating may include: distributing, by the master application, a respective share of a signing key of the threshold signature signing scheme to each of the replicas; and sending, by the master application, a verification key of the threshold signature signing scheme to the application owner; and receiving, by the master application from each of the replicas, a respective partial signature of the result calculated by the respective one of the replicas, the respective partial signature being based on the respective share of the signing key.
  • The master application may send the entire input to each of the replicas. The respective result received by the master application for each of the replicas may correspond to the output of the function applied to the input,
  • The method may further include: generating, by the master application, a reconstructed signature based on the respective partial signature received from each of the replicas; and outputting, by the master application, the reconstructed signature to the application owner. The reconstructed signature may be configured to be verified by the verification key. The respective result received by the master application for each of the replicas may be signed with the respective partial signature, and the output may be configured to be verified using the reconstructed signature and the verification key.
  • In an embodiment, the master application and the secure platforms are instantiated in trusted execution environment enclaves.
  • The method may further include receiving, by the master application, a replication parameter. The number of replicas and the number of security platforms may each correspond to the replication parameter.
  • In an embodiment, the number of secure platforms is at least two.
  • In an embodiment, the method further includes: respectively selecting, by the master application, a key for each pair of the replicas, and respectively sending, by the master application, the respective key to each pair of the replicas. The respective key may be configured to enable a secure channel between the respective pair of the replicas. In an embodiment, the key is a random key.
  • The method may further include: splitting, by the master application, the input into shares of the input. The at least a portion of the input respectively sent to each of the respective replicas may corresponds to one of the shares of the input. The respective result calculated by each of the replicas may be a partial result that is determined according to the function applied to the respective one of the shares of the input. The output may be determined by aggregating the partial result respectively received from each of the replicas.
  • According to an embodiment, he function is linear and the respective partial result received is calculated individually the respective one of the replicas.
  • In an embodiment, the function is non-linear and the respective partial result received is calculated based on a secure multi party protocol between the replicas.
  • Another embodiment of the present invention provides a secure platform having a processor coupled to a non-transitory storage memory containing instructions, which when executed by the processor, cause the secure platform to instantiate a master application in a secure enclave, the master application configured to perform the following operations: receive an application and an input, the application configured to compute a function to calculate an output from the input when executed; deploy a plurality of replicas of the application on a number of secure platforms; establish a secure channel with each of the replicas; send at least a portion of the input to the replicas; receive a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input; determine the output based on the result received from each of the replicas; and send to an application owner, the output.
  • The master application can be configured to utilize either a replication and threshold signature scheme or a replication and multi-party computation scheme to protect against side-channel attacks.
  • Another embodiment of the present invention provides a non-transitory computer-readable storage medium storing instructions that upon execution cause a master application, instantiated in a secure enclave, to perform the following operations: receive an application and an input, the application configured to compute a function to calculate an output from the input when executed; deploy a plurality of replicas of the application on a number of secure platforms; establish a secure channel with each of the replicas; send at least a portion of the input to the replicas; receive a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input; determine the output based on the result received from each of the replicas; and send to an application owner, the output.
  • An embodiment of the invention is based on the threshold version of the BLS signature scheme. More information on the BLS signature scheme can be found in: Dan Boneh et al., "Short Signatures from the Weil Pairing," ASIACRYPT 2001 , the entirety of which is incorporated by reference herein.
  • For a BLS signature scheme, let G be a Gap-Diffie-Hellman group-i.e., a group of prime order p with generator g and pairing operation e:GxG→G T . Further, let H be a hash function that maps strings of arbitrary length to elements of G. The BLS signature scheme is a triplet of algorithms KeyGen, Sign, Verify, defined as follows:
  • KeyGen picks a random x in Z p*, computes, and returns verification key vk= g x and signing key sk=x.
  • Sign takes as input a signing key sk and a message m, computes σ=H(m)sk and returns σ.
  • Verify takes as input a verification key vk, a message m and a signature σ, and it returns 1 if e(σ,g)=e(H(m),vk) or 0 otherwise.
  • Threshold BLS signatures are described in Alexandra Boldyreva, "Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme," Public Key Cryptography 2003 ("Boldyreva"), the entire contents of which are incorporated by reference herein.
  • For Threshold BLS signatures, given a BLS signature scheme (KeyGen, Sign, Verify) the threshold version has an additional triplet of algorithms: Share, Share-Sign, Reconstruct, defined as follows:
  • Share picks as an input a signing key sk and two values t, n where tn. It outputs n random key-shares sk 1,...sk n computed as follows. Pick at random t-1 coefficients a 1,...,a t-1 to define polynomial p(x) = sk + a 1 x +a 2 x 2 +...a t-1 x t-1. Set sk i=p(i) for (≤ in). If t = n, then sk 1 ,...sk n-1 are chosen at random and sk n is set to sk n = sk - (sk 1 +...+ sk n)
  • Share-Sign takes as an input a key-share sk i and a message m, computes σ i = H(m)sk i and returns a signature-share σ i.
  • Reconstruct takes as an input a set R of at least t signature-shares on a message m and outputs a signature σ = Πi∈R(σ i Li) where L i is the appropriate Lagrange coefficient. If t = n, then we require |R|= n and the signature is computed as σ = Πi∈R(σ i)
  • Here, one designated party-known as the dealer-computes a key pair sk,vk by calling KeyGen. The dealer then computes n key-shares by calling Share on sk. Each key-share is given to a different signer. Each signer computes a signature-share on a message m by calling Share-Sign with input its key-share. Given at least t signature-shares on a message m, any party can reconstruct a valid signature σ on message m by calling Reconstruct. The signature output by Reconstruct can be verified with vk by calling Verify.
  • The security provisions of the threshold signature scheme guarantee that no coalition of up to t-1 holders of key-shares can produce a valid signature on arbitrary message m.
  • FIG. 1 illustrates an embodiment of a system for providing security in a TEE according to the present invention. As shown in FIG. 1, a system 100 may include an application owner 110 in communication with a master application 120, which in turn is in communication with at least one compute device 130 hosting at least one platform P. The application owner 110 and master application 120 may also be hosted on compute devices (e.g., personal computers, servers, IoT devices, mobile phones, etc.).
  • In one embodiment of the invention, the application owner 110 provides the master application 120 with a TEE application code A, an input x, and a replication parameter n.
  • For 1 ≤ in, the master application 120 deploys the application A on the platform P i. This is done by sending a replica of the application A to the platform P i. The platform P i., in turn, installs the application A in a local enclave 140 of the compute device 130 hosting the platform P i. According to an embodiment, the local enclave 140 may be secure enclave such as provided by Intel SGX. A i denotes the replica of the application A that runs in an enclave 140 on the platform P i . As shown in the embodiment of FIG. 1, n = 3; thus the master application 120 deploys three replicas A 1-A 3 of the application A individually in the three platforms P 1-P 3.
  • According to an embodiment, n is at least two, such that at least two enclaves are used to ensure security against leakage.
  • The master application 120 also verifies that a replica A i of the application A is running in an enclave 140 on each platform Pi by means of the remote attestation service. For example, an embodiment can use the remote attestation service of Intel SGX. Remote attestation also allows the master application 120 and the replica A i of the application A to establish a confidential channel by means of a shared key. Any further communication between the master application 120 and any replica A i of the application A happens over the corresponding confidential channel.
  • The master application 120 sets up a threshold signature scheme TS (see e.g., Boldyreva discussing threshold signature schemes) and runs TS.KeyGen to obtain a signing key sk and its corresponding verification key vk. The master application 120 calls TS.Share on the signing key sk to generate key-shares sk 1 ,...sk n , and provides each replica A i with a corresponding key-share sk i(1 ≤ in). The verification key vk is provided to the application owner 100 by the master application 120.
  • The master application 120 forwards x to each application replica A i. Each application replica A i computes y = f(x), and uses its key-share sk i to sign the outcome of its computation by calling TS.Share-Sign. That is, each application replica A i outputs (y, σ i), where σ i is a partial signature over y computed by using sk i.
  • The master application 120 collects (y, σ i,..., σ n), computes a reconstructed signature σ by calling TS.Reconstruct on the partial signatures σ i,..., σ n, and forwards (y, σ) to the application owner 110 who may verify authenticity of the reconstructed signature σ by using the verification key vk.
  • FIG. 2 illustrates a method 200 for providing security in trusted execution environments according to an embodiment of the present invention. In particular, the method 200 secures a trusted execution environment from, inter alia, a side channel attack. The method 200 may be operated in a system (such as system 100) that includes at least one application owner (such as application owner 110) at least one master application (such as master application 120), and a plurality of trusted execution environment enabled platforms (such as platform P i). For example, there can be n SGX-enabled platforms, which may be at the application owner's premises or remote. Also, the master application may run on an additional TEE platform (i.e., a master trusted execution environment platform), such as an SGX-enabled platform.
  • In the method, the master application receives an application binary A and an input x from the application owner (S201). In an embodiment, the application binary A computes a function f to calculate and output y from the input x.
  • The master application deploys n replicas of application binary A over n different secure platforms (S202). The secure platforms include trusted execution environment enclaves; for example, the secure platforms may be SGX-enabled platforms.
  • The master application attests each replica and establishes a secure channel with each replica of the application binary A (S203).
  • The master application instantiates a threshold signature scheme and distributes shares of the signing scheme to the replicas (S204). The master application provides the verification key of the threshold signature scheme to the application owner (S205).
  • The master application sends the input x to each of the replicas (S206).
  • Each replica computes the output, i.e., y = f(x), and computes a partial signature of the output y using its share of the signing key (S207).
  • The master application receives each replica's output y and each replica's partial signature (S208).
  • The master application aggregates the partial signature into a standard signature (S209).
  • The master application sends the output y and the standard signature to the application owner (S210).
  • The application owner checks authenticity of the output y by verifying the standard signature using the verification key (S211).
  • Referring to FIG. 3, another embodiment of a system 300 according to the invention is illustrated. In the system 300, the application owner 310 provides the master application 320 with a TEE application code A, an input x, and a replication parameter n.
  • For 1 ≤ in, the master application 320 deploys the application A on the platform P i. This is done by sending a replica of the application A to the platform P i. The platform P i, in turn, installs the application A in a local enclave 340 of the compute device 330 hosting the platform P i. A i denotes the replica of the application A that runs in an enclave 340 on the platform P i.
  • The master application 320 verifies that the replica A i of the application A is running in an enclave 340 on the platform P i by means of a remote attestation service. For example, an embodiment can use the remote attestation service provided by Intel SGX. Remote attestation also allows the master application 320 and the replica application A i to establish a confidential channel by means of a shared key sk. Any further communication between the master application 320 and any application replica A i happens over the corresponding confidential channel.
  • For each pair of application replicas A i, A j (1 ≤ i, jn), the master application 320 picks at random a key K ij and distributes it to A i and A j. Any further communication between A i and A j happens over the confidential channel established by means of K ij.
  • According to another embodiment, each pair of application replicas A i, Aj (1 ≤ i, jn) may attest each-other by means of the remote attestation service, e.g., the remote attestation service of Intel SGX, in order to establish a confidential channel by means of a shared key. Any further communication between A i and A j happens over the confidential channel established.
  • In an embodiment, the master application 320 splits x in n additive random shares x 1,...,x n. This can be done, for example, by picking x 1,...,x n-1 at random and then setting x n = x-(x 1 +...+ x n-1). The master application 320 sends share x i to application replica A i.
  • If f is linear, e.g., f = ax + b, then each replica A i computes y' i = f'(x i)=ax i , and outputs y' i . The master application 320 computes y = Σi=1,...,n y'i + b and sends it to the application owner 310. Here, the master application may be considered a trusted entity to act on behalf of the owner.
  • If f is non-linear, then all application replicas A i engage in a secure multi-party computation protocol to compute linear shares of y = f(x). For example, the SPDZ framework can be used (see e.g., Hähnel discussing SPDZ). The SPDZ framework uses an offline phase where parties must compute shares of triplet a,b,c such that c = ab. In settings of embodiments, all such triplets can be defined, shared, and distributed by the master application 320 to the application replicas A i . That is, given a random triplet a,b,c, the master application 320 computes n (linear) shares of a as a 1 ,...,a n and sends a i to A i. The same approach is used to compute and distribute shares of b and c. Once all triplets have been shared across the application replicas A i, all of them move to the online phase of the SPDZ protocol to compute shares of y. Here, y' i is the share of y held by the application replica A i at the end of the online phase of the SPDZ protocol. A i sends y' i to the master application 320. The master application 320 aggregates (i.e., sums) all y' i (1 ≤ in) to recover y and forwards it to the application owner 310.
  • FIG. 4 illustrates a method 400 for providing security in trusted execution environments according to an embodiment of the present invention. In particular, the method 400 secures a trusted execution environment from, inter alia, a side channel attack. The method 400 may be operated in a system (such as system 300) that includes at least one application owner (such as application owner 310) at least one master application (such as master application 320), and a plurality of trusted execution environment enabled platforms (such as platforms P i). For example, there can be n SGX-enabled platforms, which may be at the application owner's premises or remote. Also, the master application may run on an additional SGX-enabled platform.
  • In the method, the master application receives an application binary A and an input x from the application owner (S401). In an embodiment, the application binary A computes a function f to calculate and output y from the input x. The function f may be linear or non-linear.
  • The master application deploys n replicas of application binary A over n different secure platforms (S402). The secure platforms include trusted execution environment enclaves; for example, the secure platforms may be SGX-enabled platforms.
  • The master application attests each replica and establishes a secure channel with each replica of the application binary A (S403).
  • Each pair of replicas establishes a secure connection between them (S404). In an embodiment, the master application distributes a random key to each pair of replicas for establishing the secure channel (S404a). In an embodiment, each pair of replicas performs remote attestation to form the secure channel (S404b).
  • The master application splits the input x into n additive random shares, and sends a share to each of the replicas (S405).
  • Each replica computes its share of the output (S406). When the function f is linear, then each replica computes its share of the output separately (S406a). When the function f is non-linear, then all replicas engage in a secure multi-party computation protocol to compute their output shares (S406b). Once the output shares are computed, the output shares are sent to and received by the master application (S407).
  • The master application aggregates the output shares to compute the output (S408).
  • The master application sends the output to the application owner (S409).
  • FIG. 5 is a block diagram of a processing system according to one embodiment for providing a secure trusted execution environment. The processing system can be used to implement the system and method described above. For example, each of the platforms, the application owner, and master application may be implemented on a processing system such as shown in FIG. 5. Each processing system includes at least one processor 704, such as a central processing unit (CPU) of the computing device or a dedicated special-purpose processor, executes computer executable instructions comprising embodiments of the system for performing the functions and methods described above. In embodiments, the computer executable instructions are stored (e.g., locally stored) and accessed from a non-transitory computer readable medium, such as storage 710, which may be a hard drive or flash drive. Read Only Memory (ROM) 706 includes computer executable instructions for initializing the processor 704, while the random-access memory (RAM) 708 is the main memory for loading and processing instructions executed by the processor 704. The network interface 712 may connect to a wired network or cellular network and to a local area network or wide area network, such as the Internet.
  • While the invention has been illustrated and described in detail in the drawings and foregoing description, such illustration and description are to be considered illustrative or exemplary and not restrictive. It will be understood that changes and modifications may be made by those of ordinary skill within the scope of the following claims. In particular, the present invention covers further embodiments with any combination of features from different embodiments described above and below. Additionally, statements made herein characterizing the invention refer to an embodiment of the invention and not necessarily all embodiments.
  • The terms used in the claims should be construed to have the broadest reasonable interpretation consistent with the foregoing description. For example, the use of the article "a" or "the" in introducing an element should not be interpreted as being exclusive of a plurality of elements. Likewise, the recitation of "or" should be interpreted as being inclusive, such that the recitation of "A or B" is not exclusive of "A and B," unless it is clear from the context or the foregoing description that only one of A and B is intended. Further, the recitation of "at least one of A, B and C" should be interpreted as one or more of a group of elements consisting of A, B and C, and should not be interpreted as requiring at least one of each of the listed elements A, B and C, regardless of whether A, B and C are related as categories or otherwise. Moreover, the recitation of "A, B and/or C" or "at least one of A, B or C" should be interpreted as including any singular entity from the listed elements, e.g., A, any subset from the listed elements, e.g., A and B, or the entire list of elements A, B and C.

Claims (15)

  1. A method for securing a system comprising an application owner, a master application, and a plurality secure platforms, the method comprising:
    receiving, by the master application from the application owner, an application and an input, the application configured to compute a function to calculate an output from the input when executed;
    deploying, by the master application, a plurality of replicas of the application on a number of the secure platforms;
    establishing, by the master application, a secure channel with each of the replicas;
    sending, by the master application, at least a portion of the input to the replicas;
    receiving, by the master application, a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input;
    determining, by the master application, the output based on the result received from each of the replicas; and
    sending, by the master application to the application owner, the output.
  2. The method according to claim 1, the method further comprising:
    instantiating, by the master application a threshold signature signing scheme, the instantiating comprising:
    distributing, by the master application, a respective share of a signing key of the threshold signature signing scheme to each of the replicas; and
    sending, by the master application, a verification key of the threshold signature signing scheme to the application owner; and
    receiving, by the master application from each of the replicas, a respective partial signature of the result calculated by the respective one of the replicas, the respective partial signature being based on the respective share of the signing key;
  3. The method according to claim 1 or 2,
    wherein the master application sends the entire input to each of the replicas, and
    wherein the respective result received by the master application for each of the replicas corresponds to the output of the function applied to the input,
  4. The method according to claim 2, the method further comprising:
    generating, by the master application, a reconstructed signature based on the respective partial signature received from each of the replicas; and
    outputting, by the master application, the reconstructed signature to the application owner,
    wherein the reconstructed signature is configured to be verified by the verification key,
    wherein the respective result received by the master application for each of the replicas is signed with the respective partial signature, and
    wherein the output is configured to be verified using the reconstructed signature and the verification key.
  5. The method according to any of claims 1 to 4, wherein the master application and the secure platforms are instantiated in trusted execution environment enclaves.
  6. The method according to any of claims 1 to 5, the method further comprising:
    receiving, by the master application, a replication parameter,
    wherein the number of replicas and the number of security platforms each correspond to the replication parameter.
  7. The method according to any of claims 1 to 6, wherein the number of secure platforms is at least two.
  8. The method according to any of claims 1 to 7, the method further comprising:
    respectively selecting, by the master application, a key for each pair of the replicas, and
    respectively sending, by the master application, the respective key to each pair of the replicas,
    the respective key being configured to enable a secure channel between the respective pair of the replicas.
  9. The method according to claim 8, wherein the key is a random key.
  10. The method according to any of claims 1 to 9, the method further comprising:
    splitting, by the master application, the input into shares of the input,
    wherein the at least a portion of the input respectively sent to each of the respective replicas corresponds to one of the shares of the input, and
    wherein the respective result calculated by each of the replicas is a partial result that is determined according to the function applied to the respective one of the shares of the input;
    wherein the output is determined by aggregating the partial result respectively received from each of the replicas.
  11. The method according to claim 10, wherein the function is linear and the respective partial result received is calculated individually the respective one of the replicas.
  12. The method according to claim 10, wherein the function is non-linear and the respective partial result received is calculated based on a secure multi party protocol between the replicas.
  13. A secure platform comprising a processor coupled to a non-transitory storage memory containing instructions, which when executed by the processor, cause the secure platform to instantiate a master application in a secure enclave, the master application configured to perform the following operations:
    receive an application and an input, the application configured to compute a function to calculate an output from the input when executed;
    deploy a plurality of replicas of the application on a number of secure platforms;
    establish a secure channel with each of the replicas;
    send at least a portion of the input to the replicas;
    receive a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input;
    determine the output based on the result received from each of the replicas; and
    send to an application owner, the output.
  14. The secure platform according to claim 13, wherein the master application is configured to utilize either a replication and threshold signature scheme or a replication and multi-party computation scheme to protect against side-channel attacks.
  15. A non-transitory computer-readable storage medium storing instructions that upon execution cause a master application, instantiated in a secure enclave, to perform the following operations:
    receive an application and an input, the application configured to compute a function to calculate an output from the input when executed;
    deploy a plurality of replicas of the application on a number of secure platforms;
    establish a secure channel with each of the replicas;
    send at least a portion of the input to the replicas;
    receive a result calculated by each of the replicas, the result being determined according to the function and the at least the portion of input;
    determine the output based on the result received from each of the replicas; and
    send to an application owner, the output.
EP19183659.2A 2018-07-06 2019-07-01 Method and system for providing security in trusted execution environments Active EP3591893B1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201862694477P 2018-07-06 2018-07-06
US16/454,136 US11362841B2 (en) 2018-07-06 2019-06-27 Method and system for providing security in trusted execution environments

Publications (2)

Publication Number Publication Date
EP3591893A1 true EP3591893A1 (en) 2020-01-08
EP3591893B1 EP3591893B1 (en) 2021-03-17

Family

ID=67211512

Family Applications (1)

Application Number Title Priority Date Filing Date
EP19183659.2A Active EP3591893B1 (en) 2018-07-06 2019-07-01 Method and system for providing security in trusted execution environments

Country Status (2)

Country Link
US (1) US11362841B2 (en)
EP (1) EP3591893B1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220245237A1 (en) * 2021-02-04 2022-08-04 NEC Laboratories Europe GmbH Clone application detection mechanism for securing trusted execution environments against a malicious operating system

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11362841B2 (en) * 2018-07-06 2022-06-14 Nec Corporation Method and system for providing security in trusted execution environments
US11811933B2 (en) 2019-11-27 2023-11-07 Visa International Service Association System and method for fair, secure n-party computation using at least one blockchain
US11582203B2 (en) * 2019-12-13 2023-02-14 TripleBlind, Inc. Systems and methods for encrypting data and algorithms
EP4260267A4 (en) 2020-12-11 2024-05-15 Visa Int Service Ass System, method, and computer program product for secure real-time n-party computation
US20220103557A1 (en) * 2021-12-08 2022-03-31 Intel Corporation Mechanism for managing services to network endpoint devices
IL292083A (en) * 2022-04-08 2023-11-01 Google Llc Secure computation using multi-party computation and a trusted execution environment
IL292998A (en) * 2022-05-13 2023-12-01 Google Llc Secure multi-party computation with attestation using a trusted execution environment

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017179059A1 (en) * 2016-04-14 2017-10-19 B. G. Negev Technologies And Applications Ltd., At Ben-Gurion University Self-stabilizing secure and heterogeneous systems

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5825880A (en) * 1994-01-13 1998-10-20 Sudia; Frank W. Multi-step digital signature method and system
US20130326602A1 (en) * 2011-02-22 2013-12-05 Hewlett-Packard Development Company, L.P. Digital Signatures
EP2905922A1 (en) * 2014-02-10 2015-08-12 Thomson Licensing Signing method delivering a partial signature associated to a message, threshold signing method, signature verification method, and corresponding computer program and electronic devices
KR101989943B1 (en) * 2017-04-28 2019-06-17 삼성에스디에스 주식회사 Apparatus and method for performing operation being secure against side channel attack
US11362841B2 (en) * 2018-07-06 2022-06-14 Nec Corporation Method and system for providing security in trusted execution environments

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017179059A1 (en) * 2016-04-14 2017-10-19 B. G. Negev Technologies And Applications Ltd., At Ben-Gurion University Self-stabilizing secure and heterogeneous systems

Non-Patent Citations (9)

* Cited by examiner, † Cited by third party
Title
AHMAD MOGHIMI ET AL.: "CacheZoom: How {SGX} Amplifies the Power of Cache Attacks", CHES, 2017
ALEXANDRA BOLDYREVA: "Threshold Signatures, Multisignatures and Blind Signatures Based on the Gap-Diffie-Hellman-Group Signature Scheme", 2003, PUBLIC KEY CRYPTOGRAPHY
BONEH ET AL.: "Short Signatures from the Weil Pairing", ASIACRYPT, 2001
GUOXING CHEN ET AL.: "SgxPectre Attacks: Stealing Intel Secrets from SGX Enclaves via Speculative Execution", CORR/ABS/1802.09085, 2018
IVAN DAMGARD ET AL.: "Multiparty Computation from Somewhat Homomorphic Encryption", CRYPTO, 2012
JIAN LIU ET AL: "Scalable Byzantine Consensus via Hardware-assisted Secret Sharing", ARXIV.ORG, CORNELL UNIVERSITY LIBRARY, 201 OLIN LIBRARY CORNELL UNIVERSITY ITHACA, NY 14853, 15 December 2016 (2016-12-15), XP080744551 *
J-M BOHLI ET AL: "Security and Privacy-Enhancing Multicloud Architectures", IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, vol. 10, no. 4, 1 July 2013 (2013-07-01), US, pages 212 - 224, XP055621361, ISSN: 1545-5971, DOI: 10.1109/TDSC.2013.6 *
MARCUS HAHNEL ET AL.: "High-Resolution Side Channels for Untrusted Operating Systems", USENIX ATC, 2017
PAUL KOCHER ET AL.: "Spectre Attacks: Exploiting Speculative Execution", CORR ABS/1801.01203, 2018

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20220245237A1 (en) * 2021-02-04 2022-08-04 NEC Laboratories Europe GmbH Clone application detection mechanism for securing trusted execution environments against a malicious operating system
US11836244B2 (en) * 2021-02-04 2023-12-05 Nec Corporation Clone application detection mechanism for securing trusted execution environments against a malicious operating system

Also Published As

Publication number Publication date
EP3591893B1 (en) 2021-03-17
US20200014546A1 (en) 2020-01-09
US11362841B2 (en) 2022-06-14

Similar Documents

Publication Publication Date Title
US11362841B2 (en) Method and system for providing security in trusted execution environments
US10785019B2 (en) Data transmission method and apparatus
CN106161034B (en) RSA decryption using multiplicative secret sharing
CN108199835B (en) Multi-party combined private key decryption method
US9571274B2 (en) Key agreement protocol
US11870891B2 (en) Certificateless public key encryption using pairings
CN109800584A (en) A kind of identity or encryption attribute calculation method and system based on Intel SGX mechanism
US20150222422A1 (en) Systems and methods for faster public key encryption using the associated private key portion
CN109936456B (en) Anti-quantum computation digital signature method and system based on private key pool
CA3178180A1 (en) Constructing a distributed ledger transaction on a cold hardware wallet
Wu et al. Poster: a certificateless proxy re-encryption scheme for cloud-based data sharing
He et al. Analysis of handover authentication protocols for mobile wireless networks using identity-based public key cryptography
Khatarkar et al. A survey and performance analysis of various RSA based encryption techniques
US20160352689A1 (en) Key agreement protocol
Zhang et al. Robust and efficient password authenticated key agreement with user anonymity for session initiation protocol‐based communications
CN108055134B (en) Collaborative computing method and system for elliptic curve point multiplication and pairing operation
US20240114025A1 (en) Modification of device behavior for use in secure networking
US20220038267A1 (en) Methods and devices for secured identity-based encryption systems with two trusted centers
CN112380579A (en) Lattice-based forward security certificateless digital signature scheme
Lakshmi et al. Medical image encryption using enhanced Rivest Shamir Adleman algorithm
WO2016187690A1 (en) Key agreement protocol
Hsu et al. A dynamic identity end-to-end authentication key exchange protocol for iot environments
CN109951287B (en) Anti-quantum computation signcryption method and system based on private key pool
Panwar Asymmetric Key Cryptography
Deosarkar et al. A Dual Security Protection Mechanism for Cloud-Based Data Storage and Sharing

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN PUBLISHED

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

AX Request for extension of the european patent

Extension state: BA ME

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: REQUEST FOR EXAMINATION WAS MADE

17P Request for examination filed

Effective date: 20200619

RBV Designated contracting states (corrected)

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

GRAP Despatch of communication of intention to grant a patent

Free format text: ORIGINAL CODE: EPIDOSNIGR1

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: GRANT OF PATENT IS INTENDED

INTG Intention to grant announced

Effective date: 20201215

GRAS Grant fee paid

Free format text: ORIGINAL CODE: EPIDOSNIGR3

GRAA (expected) grant

Free format text: ORIGINAL CODE: 0009210

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE PATENT HAS BEEN GRANTED

AK Designated contracting states

Kind code of ref document: B1

Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR

RAP1 Party data changed (applicant data changed or rights of an application transferred)

Owner name: NEC CORPORATION

REG Reference to a national code

Ref country code: GB

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: CH

Ref legal event code: EP

REG Reference to a national code

Ref country code: DE

Ref legal event code: R096

Ref document number: 602019003215

Country of ref document: DE

REG Reference to a national code

Ref country code: IE

Ref legal event code: FG4D

REG Reference to a national code

Ref country code: AT

Ref legal event code: REF

Ref document number: 1373276

Country of ref document: AT

Kind code of ref document: T

Effective date: 20210415

REG Reference to a national code

Ref country code: LT

Ref legal event code: MG9D

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210617

Ref country code: BG

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210617

Ref country code: HR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: GR

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210618

Ref country code: FI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

REG Reference to a national code

Ref country code: AT

Ref legal event code: MK05

Ref document number: 1373276

Country of ref document: AT

Kind code of ref document: T

Effective date: 20210317

REG Reference to a national code

Ref country code: NL

Ref legal event code: MP

Effective date: 20210317

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: RS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: LV

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: NL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CZ

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: EE

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: LT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: SM

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: AT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: PL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: RO

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: PT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210719

Ref country code: SK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210717

REG Reference to a national code

Ref country code: DE

Ref legal event code: R097

Ref document number: 602019003215

Country of ref document: DE

PLBE No opposition filed within time limit

Free format text: ORIGINAL CODE: 0009261

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: DK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: AL

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: ES

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

26N No opposition filed

Effective date: 20211220

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: SI

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MC

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

REG Reference to a national code

Ref country code: BE

Ref legal event code: MM

Effective date: 20210731

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IT

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IS

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210717

Ref country code: LU

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210701

Ref country code: FR

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210731

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: IE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210701

Ref country code: BE

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20210731

REG Reference to a national code

Ref country code: CH

Ref legal event code: PL

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: LI

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220731

Ref country code: CH

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20220731

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: CY

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: HU

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT; INVALID AB INITIO

Effective date: 20190701

PGFP Annual fee paid to national office [announced via postgrant information from national office to epo]

Ref country code: DE

Payment date: 20230719

Year of fee payment: 5

GBPC Gb: european patent ceased through non-payment of renewal fee

Effective date: 20230701

PG25 Lapsed in a contracting state [announced via postgrant information from national office to epo]

Ref country code: MK

Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT

Effective date: 20210317

Ref country code: GB

Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES

Effective date: 20230701